openssh unix dev - Sep 2004 - openssh-3.9p1: no pam_close_session() invocation

Hello,

I would like to point to this problem again as I have not seen a reply to 
my original posting:

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106458208520320&w=2

and the problem still exists in version 3.9p1.

After closing a ssh-session the pam_close_session() function is not 
invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does not 
help.

Could someone acknowledge the problem, or even better, could some openssh 
developer fix it?

With kind regards
CB
-- 
Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg,
Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097,
Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at rrz.uni-hamburg.de

Dr. Carsten Benecke wrote:
> After closing a ssh-session the pam_close_session() function is not 
> invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does 
> not help.
That appears to be the case.  I have opened a bug (with patch):
http://bugzilla.mindrot.org/show_bug.cgi?id=926

Could you please try the patch and let us know if it resolves the problem?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Hello,

I have tested the patch and traced the pam_xxx() calls. With 
"UsePrivilegeSeparation no" in the config file the pam_close_session()
function now is called after closing a session:

3.9p1 without patch, without Privsep:

debug_sm_authenticate: entered (<no comment>)
pid = 19406, ppid = 19345, uid = 0, euid = 0
debug_sm_acct_mgmt: entered (<no comment>)
pid = 19406, ppid = 19345, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 19406, ppid = 19345, uid = 0, euid = 0
debug_sm_open_session: entered (<no comment>)
pid = 19410, ppid = 19406, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 19410, ppid = 19406, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 19406, ppid = 19345, uid = 0, euid = 0


3.9p1 with patch, without Privsep:

debug_sm_authenticate: entered (<no comment>)
pid = 20184, ppid = 20179, uid = 0, euid = 0
debug_sm_acct_mgmt: entered (<no comment>)
pid = 20184, ppid = 20179, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 20184, ppid = 20179, uid = 0, euid = 0
debug_sm_open_session: entered (<no comment>)
pid = 20188, ppid = 20184, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 20188, ppid = 20184, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 20184, ppid = 20179, uid = 0, euid = 0
debug_sm_close_session: entered (<no comment>)
pid = 20184, ppid = 20179, uid = 0, euid = 0


By putting "UsePrivilegeSeparation yes" in the config file the call to
pam_close_session() leaks root privileges (which are necessary in my case):

3.9p1 with patch, with Privsep:
debug_sm_authenticate: entered (<no comment>)
pid = 20123, ppid = 20116, uid = 0, euid = 0
debug_sm_acct_mgmt: entered (<no comment>)
pid = 20123, ppid = 20116, uid = 0, euid = 0
debug_sm_open_session: entered (<no comment>)
pid = 20128, ppid = 20123, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 20128, ppid = 20123, uid = 0, euid = 0
debug_sm_setcred: entered (<no comment>)
pid = 20128, ppid = 20123, uid = 1002, euid = 1002
debug_sm_close_session: entered (<no comment>)
pid = 20128, ppid = 20123, uid = 1002, euid = 1002


Another problem remains. Even without priviledge separation the process 
that calls pam_start_session() ist not the same process which calls 
pam_close_session(). In my case this is necessary as I pass some 
information in the pam environment that is used by successive pam modules.

So it would be perfect to have a single process that
* has root privileges and
* does _all_ pam_xxx() calls.

Is that possible?

Best regards
CB


Darren Tucker schrieb:
> Dr. Carsten Benecke wrote:
> 
>> After closing a ssh-session the pam_close_session() function is not 
>> invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) 
>> does not help.
> 
> 
> That appears to be the case.  I have opened a bug (with patch):
> http://bugzilla.mindrot.org/show_bug.cgi?id=926
> 
> Could you please try the patch and let us know if it resolves the problem?
> 

-- 
Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg,
Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097,
Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at rrz.uni-hamburg.de